Safeguard
Tag

dotnet-security

Safeguard articles tagged "dotnet-security" — guides, analysis, and best practices for software supply chain and application security.

24 articles

Open Source Security

Most vulnerable .NET libraries report

Safeguard's H1 2026 analysis of 41,000+ .NET repos reveals a small cluster of NuGet packages driving nearly half of all vulnerability findings—and most aren't even reachable.

Nov 14, 20258 min read
Open Source Security

ASP.NET Core vulnerability trends

A data-driven look at ASP.NET Core's recurring CVE patterns — DoS in Kestrel/SignalR, deserialization bugs, and NuGet supply chain risk — and how to triage what matters.

Nov 14, 20257 min read
Open Source Security

NuGet dependency confusion risk report

NuGet's default feed-resolution behavior keeps dependency confusion risk elevated across .NET orgs. Here's what the incident history shows, and how to close the gap.

Nov 14, 20257 min read
Regulatory Compliance

SQL Injection Prevention in C# with Entity Framework/LINQ

EF Core's LINQ layer parameterizes queries by default, but FromSqlRaw, ExecuteSqlRaw, and dynamic sort columns still open real SQL injection risk in .NET apps.

Oct 26, 20258 min read
Industry Analysis

XXE Prevention in C# by Disabling XmlResolver/DTD Processing

XXE in C# lives at the XmlResolver and DtdProcessing settings. Here's how .NET's defaults evolved since 2014 and exactly how to lock down XmlDocument, XmlTextReader, and XmlReaderSettings.

Oct 21, 20257 min read
Vulnerability Analysis

CVE-2022-29148: Denial of service in .NET Kestrel HTTP stack

CVE-2022-21986 is a CVSS 7.5 denial-of-service flaw in .NET Kestrel's HTTP/2 and HTTP/3 handling. Here's what's affected and how to remediate it.

Sep 18, 20257 min read
Vulnerability Analysis

CVE-2023-29331: Remote code execution in .NET via crafted...

CVE-2023-29331 lets a crafted .NET assembly trigger remote code execution during loading. Here's what's affected, the severity context, and how to remediate it.

Sep 18, 20258 min read
Vulnerability Analysis

CVE-2024-0056: Security bypass in Microsoft.Data.SqlClient

CVE-2024-0056 lets attackers bypass TLS protections in Microsoft.Data.SqlClient/System.Data.SqlClient. Affected versions, remediation, and masking as defense in depth.

Sep 17, 20257 min read
Vulnerability Analysis

CVE-2024-0057: Certificate validation bypass in .NET X.50...

CVE-2024-0057 lets attackers forge X.509 certificates that bypass .NET's chain validation, risking spoofing in TLS and code-signing flows.

Sep 17, 20258 min read
Vulnerability Analysis

CVE-2018-1285: XXE in Apache log4net

CVE-2018-1285: Apache log4net before 2.0.10 fails to disable external XML entities, enabling XXE attacks via config files. Impact, fix, and detection.

Sep 16, 20258 min read
Product

How Snyk's Visual Studio extension scans .NET solutions f...

How Snyk's Visual Studio extension resolves .NET dependency trees, matches NuGet packages against its vulnerability database, and surfaces results in-editor.

Aug 18, 20258 min read
Vulnerabilities

The Moq Vulnerability: What Happened and What to Do

The Moq incident wasn't a classic CVE — it was a popular .NET mocking library quietly bundling a data-collection dependency in a routine version bump, and it's a case study in why supply-chain monitoring has to watch behavior, not just version numbers.

Aug 15, 20245 min read
dotnet-security (Page 2) — Safeguard Blog